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ABSTRACT 



Motivated by the privacy issues, curbing the adoption of electronic healthcare systems and the wild success of cloud service models, we 
propose to build privacy into mobile healthcare systems with the help of the private cloud. Our system offers salient features including 
efficient key management, privacy-preserving data storage, and retrieval, especially for retrieval at emergencies, and auditability for 
misusing health data. Specifically, we propose to integrate key management from pseudorandom number generator for unlink ability, a 
secure indexing method for privacy preserving keyword search which hides both search and access patterns based on redundancy, and 
integrate the concept of attribute based encryption with threshold signing for providing role-based access control with auditability to pre- 
vent potential misbehavior, in both normal and emergency cases. 
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I.INTRODU CTION 

Fast access to health data enables better healthcare service 
provisioning, improves quality of life, and helps saving life by 
assisting timely treatment in medical emergencies. Anywhere- 
anytime-accessible electronic healthcare systems play a vital role 
in our daily life. Services supported by mobile devices, such as 
home care and remote monitoring, enable patients to retain their 
living style and cause minimal interruption to their daily activi- 
ties. In addition, it significantly reduces the hospital occupancy, 
allowing patients with higher need of in hospital treatment to be 
admitted. While these e-healthcare systems are increasingly popu- 
lar, a large amount of personal data for medical purpose are 
involved, and people start to realize that they would completely 
lose control over their personal information once it enters the 
cyberspace. According to the government website .around 8 mil- 
lion patients' health information was leaked in the past two years. 
There are good reasons for keeping medical data private and limit- 
ing the access. An employer may decide not to hire someone with 
certain diseases. An insurance company may refuse to provide life 
insurance knowing the disease history of a patient. Despite the par- 
amount importance, privacy issues are not addressed adequately 
at the technical level and efforts to keep health data secure have 
often fallen short. This is because protecting privacy in the 
cyberspace is significantly more challenging. Thus, there is an 
urgent need for the development of viable protocols, architectures, 
and systems assuring privacy and security to safeguard sensitive 
and personal digital information. 

Outsourcing data storage and computational tasks becomes a pop- 
ular trend as we enter the cloud computing era. A widely success- 
ful story is that the company's total claims capture and control 
(TC3) which provides claim management solutions for healthcare 
payers such as medi care payers, insurance companies, municipal- 
ities, and self-insured employer health plans. TC3 has been using 
Amazon's EC2 cloud to process the data their clients send in (tens 
of millions of claims daily) which contain sensitive health informa- 
tion. Outsourcing the computation to the cloud saves TC3 from buy- 
ing and maintaining servers, and allows TC3 to take advantage of 
Amazon's expertise to process and analyze data faster and more 
efficiently. The proposed cloud-assisted mobile health networking 
is inspired by the power, flexibility, convenience, and cost effi- 
ciency of the cloud-based data/computation outsourcing paradigm. 
We introduce the private cloud which can be considered as a ser- 
vice offered to mobile users. The proposed solutions are built on the 



service model. A software as a service (SaaS) provider provides pri- 
vate cloud services by using the infrastructure of the public cloud 
providers (e.g., Amazon, Google). Mobile users outsource data pro- 
cessing tasks to the private cloud which stores the processed 
results on the public cloud. The cloud-assisted service model sup- 
ports the implementation of practical privacy mechanisms since 
intensive computation and storage can be shifted to the cloud, leav- 
ing mobile users with lightweight tasks. 

A. RELATED WORK 

Some early works on privacy protection for e-health data 
concentrateon the framework design , including the 
demonstrationof the significance of privacy for e-health 
systems, the authentication based on existing wireless infrastruc- 
ture, therole-based approach for access restrictions, etc. In 
particular, identity-based encryption (IBE) has been used for 
enforcingsimple role-based cryptographic access control. Among 
theearliest efforts on e-health privacy, Medical Information Pri- 
vacy Assurance (MIPA) pointed out the importance and unique 
challenges of medical information privacy, and the 
devastatingprivacy breach facts that resulted from insufficient 
supportingtechnology. MIPA was one of the first few projects that 
sought to develop privacy technology and privacy-protecting 
infrastructuresto facilitate the development of a health informa- 
tion system, in which individuals can actively protect their per- 
sonal information. We followed our line of research with other col- 
laborators and summarized the security requirements for e-health 
systems in. Privacy-preserving health data storage is studied by 
Sun et al., where patients encrypt their own health data and store 
it ona third-party server. This work and Searchable Symmetric 
Encryption (SSE) schemes are most relevant to this paper .An- 
other line of research closely related to this study focuseson cloud- 
based secure storage and keyword search .The detailed differences 
will be described later. The proposed cloud-assisted health data 
storage addresses the challenges that have not been tackled in the 
previously stated papers. There is also a large body of research 
works on privacy preserving authentication, data access, and dele- 
gation of access rights in e-health systems, while are most related 
to our proposed research. Lee and Lee proposed a cryptographic 
key management solution for health data privacy and security. In 
their solution, the trusted server is able to access the health data 
at any time, which could be a privacy threat. The work of Tan et al. 
is a technical realization of the role-based approach proposed in 
.The scheme that failed to achieve privacy protection in the storage 
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server learns which records are from which patient in order to 
return the results to a querying doctor. 

Benaloh et al. proposed the concept of patient controlled encryp- 
tion (PCE) such that health-related data are decomposed into a 
hierarchy of smaller piece of information which will be encrypted 
using the key which is under the patients' control. They provided a 
symmetric-key PCE for fixed hierarchy, a public-key PCE for fixed 
hierarchy, and a symmetric -key PCE for flexible hierarchy from 
RSA. The first public-key PCE for flexible hierarchy from pairings 
is proposed by Chu et al. . The system of Li et al. utilizes multi 
authority attribute-based encryption (ABE) , proposed by Chase 
and Chow for fine-grained access control. Their system allows 
break-glass access via the use of “emergency” attributes. However, 
it is not clear who will take on the role of issuing such a powerful 
decryption key corresponding to this attribute in practice. 

The backup mechanisms in for emergency access rely on someone 
or something the patient trusts whose availability cannot be guar- 
anteed at all times. Moreover, the storage privacy proposed in is a 
weaker form of privacy because it does not hide search and access 
patterns. The previously stated research works failed to address 
the challenges in data privacy, we aim to tackle in this paper. 

Finally, we also remark that there are other cryptographic mecha- 
nisms for privacy-preserving access of general data stored in a 
cloud environment . 

II. SYSTEM AND THREAT MODELS 
A. SYSTEM MODEL 

The main entities involved in our system are depicted in Fig. 1. 
Users collect their health data through the monitoring devices 
worn or carried, e.g., electrocardiogram sensors and health track- 
ing patches. Emergency medical technician (EMT)is a physician 
who performs emergency treatment. By user and EMT, we refer to 
the person and the associated computing facilities. 
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data, but will attempt to compromise their privacy. Public cloud is 
not authorized to access any of the health data. The EMT is 
granted access rights to the data only pertinent to the treatment, 
and only when emergencies take place. The EMT will also attempt 
to compromise data privacy by accessing the data he/she is not 
authorized to. The EMT is assumed to be rational in the sense that 
he/she will not access the data beyond authorization if doing so is 
doomed to be caught. Finally, outside attackers will maliciously 
drop users' packets, and access users' data though they are unau- 
thorized to. 

C. Security Requirements 

In this paper, we strive to meet the following main security 
requirements for practical privacy-preserving mobile health care 
systems. 

Storage Privacy: 

Storage on the public cloud is subject to five privacy requirements. 

a) Data confidentiality: unauthorized parties (e.g., public 
cloud and outside attackers) should not learn the content of the 
stored data. 

b) Anonymity: no particular user can be associated with the stor- 
age and retrieval process, i.e., these processes should be anon- 
ymous. 

c) Unlinkability: unauthorized parties should not be able to 
link multiple data files to profile a user. It indicates that the 
file identifiers should appear random and leak no useful infor- 
mation. 

d) Keyword privacy: the keyword used for search should 
remain confidential because it may contain sensitive informa- 
tion, which will prevent the public cloud from searching for the 
desired data files. 



The computing facilities are mainly mobile devices carried around 
such as smartphone, tablet, or personal digital assistant. Each 
user is associated with one private cloud. Multiple private clouds 
are supported on the same physical server. Private clouds are 
always online and available to handle health data on behalf of the 
users. 




a 



Fig. 1. Cloud-assisted mobile health network. 

B. THREAT MODEL 

The private cloud is fully trusted by the user to carry out health 
data-related computations. Public cloud is assumed to be honest- 
but-curious, in that they will not delete or modify users' health 



e) Search pattern privacy: whether the searches were for the 
same keyword or not, and the access pattern, i.e., the set of doc- 
uments that contain a keyword, should not be revealed. This 
requirement is the most challenging and none of the existing 
efficient SSE can satisfy it. It represents stronger privacy 
which is particularly needed for highly sensitive applications 
like health data networks. 

Auditability: 

In emergency data access, the users may be physically unable to 
grant data access or without the perfect knowledge to decide if the 
data requester is a legitimate EMT. We require authorization to be 
fine-grained and authorized parties' access activities to leave a 
cryptographic evidence. 

III. Proposed System 

Our cloud-assisted privacy-preserving mobile healthcare system 
consists of two components: searchable encryption and auditable 
access control. Upon receiving the health data from users, the pri- 
vate cloud processes and stores it on public cloud such that storage 
privacy and efficient retrieval can be guaranteed. Next, the pri- 
vate cloud engages in the bootstrapping of data access and 
auditability scheme with users so that it can later act on the users' 
behalf to exercise access control and auditing on authorized par- 
ties. 

A. Storage Privacy and Efficient Retrieval 

The first component is storage privacy for the health data. Our stor- 
age mechanism relies on secure index or SSE, so that the user can 
encrypt the data with additional data structures to allow for effi- 
cient search. It has been shown that the secure index-based 
approach is promising among different approaches for storage pri- 
vacy. In our environment, the private cloud takes the role of user, 
and the public cloud is the storage server in SSE. Sun et al. shows 
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the feasibility of the secure index for health data storage privacy. 
Their approach followed the SSE of Curtmola et al. which uses a 
linked-list data structure. However, there are practical issues that 
were unsolved which we will address in this paper. 

IV. CONCLUSION 

In this paper, we proposed to build privacy into mobile health sys- 
tems with the help of the private cloud. We provided a solution for 
privacy-preserving data storage by integrating a PRF based key 
management for unlinkability, a search and access pattern hiding 
scheme based on redundancy, and a secure indexing method for pri- 
vacy-preserving keyword search. We also investigated techniques 
that provide access control (in both normal and emergency cases) 
and audit ability of the authorized parties to prevent misbehavior, 
by combining ABE controlled threshold signing with role-based 
encryption. As future work, we plan to devise mechanisms that 
can detect whether users' health data have been illegally distrib- 
uted, and identify possible source(s) of leakage (i.e., the authorized 
party that did it) . 
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